I am doing a research on how to prevent my gmail account from being hacked and what are the options of claiming it back.

The associated phone number and recovery email can be changed, in fact I expect the attacker to change them immediately so there is no real value in them. Is there a way how to link my gmail account to my real life identity; a paid service maybe?

4 Answers
4

The hack preventing side is pretty much covered by the dual factor authentication that was recently introduced and the use of the "Always use HTTPS" setting (on by default in gmail) for accessing google, to avoid ssl-stripping attacks.

Now, when you have a compromised account and want to claim it back, Google has a structured procedure to verify you are the real owner of the account, in case the normal password recovery options do not work:

You have to complete a fairly detailed form and send it to them, and they say that it is a good thing to do so from an IP address that you have previously used to access the account - they obviously store those.

Among the details that they need you to provide are:

If you used Gmail with this Google account. If yes, what was the most recent mail recovery address you used (in case it has been changed). Also, what are the e-mails of your 5 most often contacted people, what are the names of 4 labels you have created in the account, if you created the gmail account using an invitation or not etc.

If you used your Google account with other services, like orkut, blogger or any other, you provide details about them, like when you first started using them. The details need not be 100% correct - I guess a real person is going to assess the situation at some point after passing obvious checks.

Other details you have to provide include an estimate of when you started using any google services at all (associated with the account), when you last logged successfully and what is the last password you remember for this account (so they must be storing password hashes of previous passwords).

EDIT2: Just noticed you mention paid services. There is Google Apps for Businesses that offers some benefits for a moderate fee, including live phone support that could potentially help in situations like that, although not sure. On the other hand, there are indeed commercial services, dealing mostly with the authentication part, like DIGIPASS by Vasco. There are several services like that in google marketplace.

Hey @john, please note that ssl-striping can still happen if the initial request to the website is unencrypted. Always use https does not eliminate this risk, using a https: bookmark does.
–
Andrew RussellJul 4 '11 at 11:34

@Andrew Russel, Yes, you are correct. Although, in the gmail case, hsts is used, which means that the window of oportunity for the attacker is only while doing the initial http request. After that the browser will remember that the domain has to be served under https untily the expiry date. Also, if that browser is Chrome, it will enforce https connections to google sites by default (it contains a hardcoded list of hsts enabled google domains).
–
johnJul 4 '11 at 18:22

I'd recommend looking at Google's Advanced Sign-in feature. It's essentially a two-factor authentication style solution where an application downloaded to your Apple iOS, Android, or Blackberry device and is used to provide a token that you need to enter when you log in.

It wouldn't be a completely effective protection in every scenario, but does provide a bit of extra protection. I've used it for a while and it seems to work pretty well. If you need to use your google account for devices that can't support the two-factor sign-in process then you can generate unique passwords for that application.

This might be me resurrecting a dead question, but I had an issue in the past few days where my gmail was hacked and used for spamming.

I got into the account quickly, changed the passcode, and then activated two-step authentication, which requires a phone number in order to authorize a login to your system via a 6 digit verification code. This has actually helped me to find instances where people were trying to login to my email, but it wasnt me. As well, since they didnt know the passcode (i changed it after turning on 2-step auth), they couldnt even get to that step in their subsequent access attempts.

A year ago I easily recovered my stolen GMail account, where password, recovery options were reset (changed by a hacker).

Depending on how you signed in and used your GMail account, there are data, identifying original owner, that can't be
hacked or forged:

activation link sent during registration

activation code sent by SMS (or voice mail)

The email addresses of your most frequently emailed contacts

other data or codes used during initial creation of account

history of use (most frequent respondents, Gmail labels used, etc.)

BTW, I use forwarding from a few of my accounts to one "central" one, so I am having copies and do not expose the main, most important account

Reclaiming and recovering the Google's account is automatic/programmatic and is accomplished in minutes if not seconds

Here are screenshots:

Fig.1.1 Top Part of "Verify Your Identity Page"

Fig.1.2. *Bottom Part of "Verify Your Identity" Page (there're some differences on different tries) *

Now, this webpage is not accessible by a direct URL.
It is available by clicking "Verify Your Identity" link at one of multi-stage (or mylti-page) process of recovering/restoring/resetting the Google/Gmail password.

Fig.1.3. Screenshot за "Password Help for AccName@GMAIL.COM" Page

The last, in turn, is accessed*, for example,* by following the steps: